security versus usability

This morning, I noticed that we got some feedback from an unhappy Entourage user that says:

How DARE you prevent, by DEFAULT, the ability to see images in my email program!?!?!?! I just forked out good money for Office 2004 thinking that there would be improvements – and instead I find some LUDITE has made a decision that should be left up to the user – I do not NEED to have my email “secured” from images – I LIKE the images appearing automatically – LIKE THEY DID BEFORE in the previous version of Entourage – in fact I’m switching back.

THANKS FOR NOTHING!! Use your brains to improve a product – not diminish it.

It’s feedback like this which makes me amused at the assertion that I got via email a couple of months ago that we only set up the anonymous product feedback so that we’d get fawning we <3 Microsoft feedback.

Usability doesn’t exist in a vacuum. My life would certainly be easier, but a lot less interesting, if it did. When I study usability and try to make improvements, I have to deal with the real world, which means that we don’t get to provide you with the perfect user experience. We have to make trade-offs. We don’t have unlimited resources. We don’t have a perfect technological solution to everything. And we have to deal with security concerns.

Entourage 2004 has a couple of security features that has a detrimental effect on the short-term user experience. By default, Entourage doesn’t automatically download any image that is sent to you via email. You can change that through the Preferences menu (Entourage -> Preferences -> Security -> Automatically download …), but that doesn’t get you every image that is sent to you. That only gets you images that is sent to you by people who are listed in your Entourage address book. If you get email with pictures from someone who isn’t in your Entourage address book, you have to manually click that ‘Download images…’ link in the email message.

This feature makes some of our users quite upset, as you can see from the above feedback. And I’ve already admitted that it has a detrimental effect on the short-term user experience. So why haven’t I shouted at anyone who will listen until we change it? This is one of the more difficult trade-offs that we have to make: security versus usability. For Entourage users, the most usable thing to do would be to automatically download every image, so that you see the email that you expect to see and don’t have to notice that there are missing images and then move your hand to the mouse (if it’s not already there) and click the link.

The problem is one of security. Think about the spam that you get, or those spoofed messages from banks (real or not) that want you to enter lots of your personal details on some random faked website. If Entourage automatically downloaded images from those messages, their servers would get a lot of information about you. For example, their server will record your IP address, which gives them a fair amount of information about your physical location. There’s a lot of other information that they’ll get automatically, which gives them lots of information to use to spam or phish you in the future.

We made the decision to relinquish some of our short-term usability to enhance security. We tried to mitigate the usability effects of this decision. You can set the pref to automatically download images from people in your address book. This isn’t a perfect solution, either: my address book has entries for Alaska Airlines, Hyatt Hotels, and my father. (Dad doesn’t need to be in my address book. His is one of the few telephone numbers that I can actually recite at will, unlike (for example) my own home number.) I don’t like having extra entries in my address book, but it’s the best solution that we have to the problem of spam, phishing, and maintaining security.

Making software is a series of trade-offs. This is just one example of one type of trade-off. Creating solutions to these problems is what makes my job interesting.

It’s not that over-the-top. The user is obviously pretty frustrated, and they’re telling us about it.

I can’t point the user to this entry because s/he didn’t give us their contact details. We allow anonymous feedback so that people can feel free to tell us what they really feel, and this user seems to have taken advantage of that and not pulled punches.

Actually I find this behavior quite pleasant. It is visible security, not that big of a deal for me anyway. It also prevents me from seeing a lot of crap image spam you can recognize it without download the images and instantly delete it. Some people however just do not understand it. I remember reading somewhere, the most secure computer in the world is locked in a vault, 6 stories below ground, with armed gaurds, there is no keyboard, mouse, network connection and no power. Secure yes, practical no. So your always going to have to make some trade offs somewhere for security.

Security isn’t measured only in terms of physical computer security or safety from viruses. Security also includes helping the user to avoid phishing attempts or fraudulent sellers (such as all of that spam for ultra-cheap perscriptions).

It isn’t necessarily security versus just usability. It’s broader than that. I see it as security versus convenience. Security strategies throughout the ages up to and including today have all been centralized around the concept of inconvenience. Hot tar, crocodile infested moats, hill-top castles are certainly not what you call convenient.

Asam – As anyone who is involved with having to fight spam can tell you, it’s an ongoing battle with ever-increasing technical difficulty. There’s at least one annual academic conference that I know of that deals with the issue of spam: http://www.ceas.cc/

Although I think our solution isn’t perfect, I have a difficult time classifying it as ‘crippling’ Entourage. As you can see from another comment in this thread, some users find this behaviour to be pleasant. Twiddle a pref, and Entourage will automatically download images from people who send you stuff if they’re in your address book.

Jason – Sure, that’s a reasonable way of looking at it. 🙂 I come from a pretty small town. My family didn’t lock the doors of our home until I was in high school. Remembering to lock/unlock the doors was a huge inconvenience when my parents decided to first start doing so in the name of security after a neighbour was robbed.

Each email client makes a decision how to handle the situation. Entourage is not the only email client that makes this particular decision. With the recent rise of image spam (as referenced in the story I linked earlier), our method means that our users aren’t automatically downloading a lot of junkmail that
takes up a lot of bandwidth for yet more V!agra spam.

Being that you hate everything that is Microsoft, you deem our solution ‘inferior’. Others don’t subscribe to your particular brand of unthinking vitriol. There are other email clients out there that aren’t made by Microsoft, and you’re free to use them and keep on feeding your weird little anti-Microsoft superiority complex.

Lol, Nadyne, chill out, but just make sure MacBU turns up at WWDC with a universal Office 12 ;P I’m getting my Merom enabled rev 2 MacBook Pro soon, and it’s really gonna piss me off if I have to use Rossetta….

Do you find spam interesting though Nadyne? I’m not talking about those dum ass programmers exploting spam for commercial gain, or those stupid pictures. All those words n stuff that those spam bots come up, do you think they’re getting clever? I got this theory, spam is like one computer communicating to another, maybe if they woke up that’s how they would talk to each other, or try to talk to us. I’ve been deep in the Singularity debate for a while, considering consquences of strong AI, if it would consider us pests and try and make batteries out of us, or maybe if it is truely inteligent, it will try and help us.

Lots to think about, found this video a while back, think Hawkings right to some extent, maybe we have to fuse with technology, but not in a borg like way.

You’re not honestly asking me to spend the next few hours reading over a web board the week before WWDC, are you?

There’s absolutely no way that I’m going to have enough time for something like that, not right now. Next week is WWDC, then I’m taking a week off, and then I’ll be heads-down working on Magnesium with a side of OOPSLA preparations. Check with me in early November, and then I might have the time to make an informed opinion.

“Asam – I hate to break it to you, but Office:Mac isn’t coming out before Windows Office 12. ”

Why not btw? Hasn’t Office Mac always come out with new features before the Windows version? Is Windows Office coming before or after Vista? It would need to come out before Vista to mnaintain backward compatibility at least with XP, no?

Just to be precise here, this security feature of Entourage does *not* block *every* image that people send. It does not block graphics files of any type that you send either as an attachment (in any type of email, plain text or HTML) nor as inserted inline in an HTML message. It only blocks images sent as src:image links with URLs to web sites, which Entourage itself cannot even do except via Word 2004 (Send To -> Mail Recipient (As HTML), and some other email clients (Thunderbird, Outlook) can do. These are almost always commercial sales messages (spam and otherwise).